I just inherited ownership of an API (written in Python/Flask and running on AWS, with a MongoDB back end) where the only auth was a manual email/password login.
The current process is:
- Obtain email and password from user (via app).
- Submit to API which returns the API Key in a JSON Object once the password is verified.
- Use API Key in all subsequent API Calls to utilise services.
This API was used as the back end to multiple Android Apps. I now want to add OAuth to allow users to sign in/up using Google Auth, but I have hit a stumbling block with implementing this:
I can't use any other Auth such as Firebase Auth, because even once the Auth is done on the App (Email/Password or Google), I have no way of obtaining the API Key without the manual password (because of the way its implemented).
I have gone through the following topics here on SO and on the OAUth website but nothing comes to mind on how to tackle this.
How do I handle this? Do I have to rewrite the API? I ask this because, if I 'trust' the OAuth module, I have to expose an endpoint and sensitive data to it (without authenticating with the API), which is a terrible idea.
